Académique Documents
Professionnel Documents
Culture Documents
December 2015
Amazon Web ServicesArchitecting for HIPAA Security and Compliance on Amazon Web Services December 2015
2016, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Notices
This document is provided for informational purposes only. It represents AWSs
current product offerings and practices as of the date of issue of this document,
which are subject to change without notice. Customers are responsible for
making their own independent assessment of the information in this document
and any use of AWSs products or services, each of which is provided as is
without warranty of any kind, whether express or implied. This document does
not create any warranties, representations, contractual commitments, conditions
or assurances from AWS, its affiliates, suppliers or licensors. The responsibilities
and liabilities of AWS to its customers are controlled by AWS agreements, and
this document is not part of, nor does it modify, any agreement between AWS
and its customers.
Page 2 of 14
Amazon Web ServicesArchitecting for HIPAA Security and Compliance on Amazon Web Services December 2015
Contents
Abstract 4
Introduction 4
Encryption and Protection of PHI in AWS 5
Amazon EC2 6
Amazon Elastic Block Store 8
Amazon Redshift 8
Amazon S3 9
Amazon Glacier 9
Amazon RDS for MySQL 9
Amazon RDS for Oracle 10
Elastic Load Balancing 11
Amazon EMR 12
Amazon DynamoDB 12
Using AWS KMS for Encryption of PHI 12
Auditing, Back-Ups, and Disaster Recovery 13
Page 3 of 14
Amazon Web ServicesArchitecting for HIPAA Security and Compliance on Amazon Web Services December 2015
Abstract
This paper briefly outlines how companies can use Amazon Web Services (AWS)
to create HIPAA (Health Insurance Portability and Accountability Act)-compliant
applications. We will focus on the HIPAA Privacy and Security Rules for
protecting Protected Health Information (PHI), how to use AWS to encrypt data
in transit and at rest, and how AWS features can be used to meet HIPAA
requirements for auditing, back-ups, and disaster recovery.
Introduction
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies
to covered entities and business associates. Covered entities include health
care providers engaged in certain electronic transactions, health plans, and
health care clearinghouses. Business associates are entities that provide services
to a covered entity that involve access by the business associate to Protected
Health Information (PHI), as well as entities that create, receive, maintain, or
transmit PHI on behalf of another business associate. HIPAA was expanded in
2009 by the Health Information Technology for Economic and Clinical Health
(HITECH) Act. HIPAA and HITECH establish a set of federal standards intended
to protect the security and privacy of PHI. HIPAA and HITECH impose
requirements related to the use and disclosure of PHI, appropriate safeguards to
protect PHI, individual rights, and administrative responsibilities. For additional
information on HIPAA and HITECH, visit http://www.hhs.gov/ocr/privacy/.
Covered entities and their business associates can use the secure, scalable, low-
cost IT components provided by Amazon Web Services (AWS) to architect
applications in alignment with HIPAA and HITECH compliance requirements.
AWS offers a commercial-off-the-shelf infrastructure platform with industry-
recognized certifications and audits such ISO 27001, FedRAMP, and the Service
Organization Control Reports (SOC1, SOC2, and SOC3). AWS services and data
centers have multiple layers of operational and physical security to help ensure the
integrity and safety of customer data. With no minimum fees, no term-based
contracts required, and pay-as-you-use pricing, AWS is a reliable and effective
solution for growing health care industry applications.
Page 4 of 14
Amazon Web ServicesArchitecting for HIPAA Security and Compliance on Amazon Web Services December 2015
AWS enables covered entities and their business associates subject to HIPAA to
securely process, store, and transmit PHI. Additionally, AWS, as of July 2013,
offers a standardized Business Associate Addendum (BAA) for such customers.
Customers who execute an AWS BAA may use any AWS service in an account
designated as a HIPAA Account, but they may only process, store and transmit
PHI using the HIPAA-eligible services defined in the AWS BAA. At the time of
publication of this whitepaper, HIPAA-eligible services include the following:
Amazon DynamoDB
Amazon Glacier
Amazon Redshift
Page 5 of 14
Amazon Web ServicesArchitecting for HIPAA Security and Compliance on Amazon Web Services December 2015
Amazon EC2
Amazon EC2 is a scalable, user-configurable compute service that supports
multiple methods for encrypting data at rest. For example, customers might elect
to perform application- or field-level encryption of PHI as it is processed within
an application or database platform hosted in an Amazon EC2 instance.
Approaches range from encrypting data using standard libraries in an application
framework such as Java or .NET; leveraging Transparent Data Encryption
features in Microsoft SQL or Oracle; or by integrating other third-party and
software as a service (SaaS)-based solutions into their applications. Customers
can choose to integrate their applications running in Amazon EC2 with AWS
KMS SDKs, simplifying the process of key management and storage. Customers
can also implement encryption of data at rest using file-level or full disk
encryption (FDE) by utilizing third-party software from AWS Marketplace
Partners or native file system encryption tools (such as dm-crypt, LUKS, etc.).
Network traffic containing PHI must encrypt data in transit. For traffic between
external sources (such as the Internet or a traditional IT environment) and
Amazon EC2, customers should use industry-standard transport encryption
Page 6 of 14
Amazon Web ServicesArchitecting for HIPAA Security and Compliance on Amazon Web Services December 2015
Amazon EC2 instances that customers use to process, store, or transmit PHI are
required to run on Dedicated Instances or Dedicated Hosts. These are instances
that run in an Amazon VPC on hardware dedicated to a single customer.
Dedicated Instances and/or Dedicated Hosts are physically isolated at the host
hardware level from instances that are not Dedicated Instances/Dedicated Hosts
and from instances that belong to other AWS accounts. For more information on
Dedicated Instances, see
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/dedicated-
instance.html.
Customers can also use Dedicated Hosts for systems that process, store, or
transmit PHI. For more information about Dedicated Hosts, see
https://aws.amazon.com/ec2/dedicated-hosts/
Amazon Virtual Private Cloud offers a set of network security features well-
aligned to architecting for HIPAA compliance. Features such as stateless network
access control lists and dynamic reassignment of instances into stateful security
Page 7 of 14
Amazon Web ServicesArchitecting for HIPAA Security and Compliance on Amazon Web Services December 2015
Amazon Redshift
Amazon Redshift provides database encryption for its clusters to help protect
data at rest. When customers enable encryption for a cluster, Amazon Redshift
encrypts all data, including backups, by using hardware-accelerated Advanced
Encryption Standard (AES)-256 symmetric keys. Amazon Redshift uses a four-
tier, key-based architecture for encryption. These keys consist of data encryption
keys, a database key, a cluster key, and a master key. The cluster key encrypts the
database key for the Amazon Redshift cluster. Customers can use either AWS
KMS or an AWS CloudHSM (Hardware Security Module) to manage the cluster
key. Amazon Redshift encryption at rest is consistent with the Guidance that is in
effect at the time of publication of this whitepaper. Because the Guidance might
be updated, customers should continue to evaluate and determine whether
Amazon Redshift encryption satisfies their compliance and regulatory
requirements. For more information see
http://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-
encryption.html.
Page 8 of 14
Amazon Web ServicesArchitecting for HIPAA Security and Compliance on Amazon Web Services December 2015
Amazon S3
Customers have several options for encryption of data at rest when using Amazon
S3, including both server-side and client-side encryption and several methods of
managing keys. For more information see
http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingEncryption.html.
Customers should not use PHI in bucket names, object names, or metadata
because this data is not encrypted using S3 server-side encryption and is not
generally encrypted in client-side encryption architectures.
Amazon Glacier
Amazon Glacier automatically encrypts data at rest using AES 256-bit symmetric
keys and supports secure transfer of customer data over secure protocols.
Connections to Amazon Glacier containing PHI must use endpoints that accept
encrypted transport (HTTPS). For a list of regional endpoints, see
http://docs.aws.amazon.com/general/latest/gr/rande.html#glacier_region.
Customers should not use PHI in archive and vault names or metadata because
this data is not encrypted using Amazon Glacier server-side encryption and is not
generally encrypted in client-side encryption architectures.
Page 9 of 14
Amazon Web ServicesArchitecting for HIPAA Security and Compliance on Amazon Web Services December 2015
encrypted consistent with the Guidance in effect at the time of publication of this
whitepaper, as are automated backups, read replicas, and snapshots. Because the
Guidance might be updated, customers should continue to evaluate and
determine whether Amazon RDS for MySQL encryption satisfies their
compliance and regulatory requirements. For more information on encryption at
rest using Amazon RDS, see
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encrypti
on.html.
Connections to RDS for MySQL containing PHI must use transport encryption.
For more information on enabling encrypted connections, see
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SS
L.html.
Customers can encrypt Oracle databases using keys that customers manage
through AWS KMS. On a database instance running with Amazon RDS
encryption, data stored at rest in the underlying storage is encrypted consistent
with the Guidance in effect at the time of publication of this whitepaper, as are
automated backups, read replicas, and snapshots. Because the Guidance might be
updated, customers should continue to evaluate and determine whether Amazon
RDS for Oracle encryption satisfies their compliance and regulatory
requirements. For more information on encryption at-rest using Amazon RDS,
see
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encrypti
on.html.
Customers can also leverage Oracle Transparent Data Encryption (TDE), and
customers should evaluate the configuration for consistency with the Guidance.
Oracle TDE is a feature of the Oracle Advanced Security option available in
Oracle Enterprise Edition. This feature automatically encrypts data before it is
written to storage and automatically decrypts data when the data is read from
storage. Customers can also use AWS CloudHSM to store Amazon RDS Oracle
TDE keys. For more information, see the following:
Page 10 of 14
Amazon Web ServicesArchitecting for HIPAA Security and Compliance on Amazon Web Services December 2015
Connections to Amazon RDS for Oracle containing PHI must use transport
encryption and evaluate the configuration for consistency with the Guidance.
This is accomplished using Oracle Native Network Encryption and enabled in
Amazon RDS for Oracle option groups. For detailed information, see
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.O
ptions.html#Appendix.Oracle.Options.NetworkEncryption.
Page 11 of 14
Amazon Web ServicesArchitecting for HIPAA Security and Compliance on Amazon Web Services December 2015
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-
listener-config.html.
Amazon EMR
Amazon EMR deploys and manages a cluster of Amazon EC2 instances into a
customers account. All Amazon EC2 instances that process, store, or transmit
PHI must be Dedicated Instances. In order to meet this requirement, EMR
clusters must be created in a VPC with tenancy attribute of dedicated. This
ensures that all cluster nodes (instances) launched into the VPC will run as
Dedicated Instances.
Amazon DynamoDB
Connections to Amazon DynamoDB containing PHI must use endpoints that
accept encrypted transport (HTTPS). For a list of regional endpoints, see
http://docs.aws.amazon.com/general/latest/gr/rande.html#ddb_region .
PHI stored in Amazon DynamoDB must be encrypted at-rest consistent with the
Guidance. Amazon DynamoDB customers can use the application development
framework of their choice to encrypt PHI in applications before storing the data
in Amazon DynamoDB. Alternatively, a client-side library for encrypting content
is available from the AWS Labs GitHub repository. Customers may evaluate this
implementation for consistency with the Guidance. For more information, see
https://github.com/awslabs/aws-dynamodb-encryption-java. Careful
consideration should be taken when selecting primary keys and when creating
indexes such that unsecured PHI is not required for queries and scans in Amazon
DynamoDB.
Page 12 of 14
Amazon Web ServicesArchitecting for HIPAA Security and Compliance on Amazon Web Services December 2015
and decrypting PHI in the application. The data encryption keys would be
protected by customer master keys stored in AWS KMS, creating a highly
auditable key hierarchy as API calls to AWS KMS are logged in AWS CloudTrail.
Under HIPAA, covered entities must have a contingency plan to protect data in
case of an emergency and must create and maintain retrievable exact copies of
electronic PHI. To implement a data back-up plan on AWS, Amazon EBS offers
persistent storage for Amazon EC2 virtual server instances. These volumes can be
exposed as standard block devices, and they offer off-instance storage that
persists independently from the life of an instance. To align with HIPAA
guidelines, customers can create point-in-time snapshots of Amazon EBS
volumes that automatically are stored in Amazon S3 and are replicated across
multiple Availability Zones, which are distinct locations engineered to be
insulated from failures in other Availability Zones. These snapshots can be
accessed at any time and can protect data for long-term durability. Amazon S3
also provides a highly available solution for data storage and automated back-
ups. By simply loading a file or image into Amazon S3, multiple redundant copies
are automatically created and stored in separate data centers. These files can be
Page 13 of 14
Amazon Web ServicesArchitecting for HIPAA Security and Compliance on Amazon Web Services December 2015
accessed at any time, from anywhere (based on permissions), and are stored until
intentionally deleted.
With Amazon EC2, administrators can start server instances very quickly and can
use an Elastic IP address (a static IP address for the cloud computing
environment) for graceful failover from one machine to another. Amazon EC2 also
offers Availability Zones. Administrators can launch Amazon EC2 instances in
multiple Availability Zones to create geographically diverse, fault tolerant
systems that are highly resilient in the event of network failures, natural disasters,
and most other probable sources of downtime. Using Amazon S3, a customers
data is replicated and automatically stored in separate data centers to provide
reliable data storage designed to provide 99.99% availability.
For more information on disaster recovery, see the AWS Disaster Recovery
whitepaper available at http://aws.amazon.com/disaster-recovery/.
Page 14 of 14